Bleepingcomputer
Trigona Ransomware Group Deploys Custom Exfiltration Tool for Data Theft
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
In March 2026, the Trigona ransomware group, which operates as a Ransomware-as-a-Service (RaaS), utilized a newly developed custom tool named 'uploader_client.exe' to enhance their data exfiltration capabilities. This tool allows for rapid and stealthy data theft, targeting high-value documents such as invoices and PDFs stored on network drives. The shift from commonly used utilities like Rclone and MegaSync to proprietary malware indicates a strategic move to avoid detection by security solutions. The attackers also employed the Huorong Network Security Suite tool HRSword to disable security measures on compromised systems, followed by the use of various other tools to facilitate credential theft and remote access. Notably, AnyDesk was used for remote access, while Mimikatz and Nirsoft tools were leveraged for credential harvesting. Despite disruptions to their operations in late 2023, Trigona affiliates have resumed attacks, indicating a persistent threat to organizations. Symantec has issued indicators of compromise (IoCs) to assist in detection and prevention efforts.
Key Points: • Trigona ransomware group has introduced a custom exfiltration tool for enhanced data theft. • The tool, 'uploader_client.exe', allows for rapid data transfer and evasion of security measures. • Recent attacks indicate a resurgence of Trigona operations despite previous disruptions.